Wednesday, November 11, 2009

This bug is a real proof that SDL FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so basic, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

Too bad someone published something only 3 days after discovering it.Why don't you share it with MS only ? Maybe asking for money ?This post is interesting but useless if you didn't share your discovery with MS.I'm sorry but I don't the "Hello! I'm here to destroy Ms and everything else!" kind of guy.

The Internet Storm Center http://isc.sans.org/diary.html?storyid=7573 said you left out one line of code and there was also some formatting issues. The speculation was that this was intentional on your part "to give Microsoft a chance to get a fix in..."

Whats wrong with Microsoft and their apparent lack of any security whatsoever? This exploit couldnt possibly have made it past any fuzzer or attempt at auditing the code. They still just throw code together and skip it the instant it compiles, bugs be damned.

SDL is a joke, a PR stunt at best. Probably just one bloke writing a blog and not something ever used inside Microsoft.

Responsible disclosure is something that only works if there are responsible vendors. As long as MS and others take security as a PR issue its much better to do as laurent and let people know about the issues fast and take their own actions to mitigate problems / change vendor.

Excellent work Laurent. How long did it take to find this one? Fuck the non-disclosure or the "give micro$oft their time to fix it" people. They had their time.. they had PLENTY of time to fuzz the shit out of their code. How long did vista take? How many people work at micro$oft? God damn bluehat people have probably been saying this for years yet... seems like they're skipping that step of the SDL. Maybe releasing things full disclosure will make them change their ways (more than they already have) although that didn't work in the past. Fuck'em.

How dare Microsoft or anyone else attack Mr. Gaffie or call him irresponsible over the release of this vulnerability/poc. It is not my job nor Mr. Gaffie's to provide free consulting services to Microsoft in order to fix or improve their shitty products.

Maybe one day Microsoft will get it threw their thick heads that compensation AND public recognition will slow the release of poc source. From my understanding, they offer no compensation, no public recognition, no gifts (software/msdn subscriptions).... NOTHING....

But, they expect all developers to volunteer their time, knowledge, and expertise for nothing.

If SDL fails, then why do products like Internet Explorer, SQL Server, Windows Media and Silverlight have much fewer (4 times less) critical flaws discovered each year than Firefox, Oracle, Quick Time and Adobe Flash Player?

that must mean that products like Firefox, Oracle, Quick Time, Flash player are just plain FAILures themselves, coded in a crappy way!

Anyway, you don't seem to understand what SDL is. If you believe that any development process could be able to lead to a flawless software, then you have no clue about what you're talking about.

You must think that linux is a huge failure too, since the typical linux distribution has much more flaws than any windows version (even those developped without SDL).

No, i dont believe in flawless software, but i do believe on hardened SMB/IP/RPC/NTB, and on fuzzing which allow to spot theses kind of vulnerability very fast.I dont believe in security by obscurity, which lead to this kind of dummy flaw.You talk about linux; they dont have theses kind of no user interaction remote kernel panic.

What I'm trying to point out here is about 2 things:

They said new code go through stress testing,fuzzing, constant review, Bla.It's false, and this bug proves it, it's brand new code.

The other thing is they concentrate way to much on IE and the Office suite, while SMB, IPv6, etc doesn't need any userinteraction, and are critical as they run with kernel privilege.

The point of responsible disclosure is NOT to protect MS...it's to protect the businesses that depend on MS. Yes, MS missed something huge here, but that's no reason to put this out there for the world to have 3 days in. MS isn't who will be attacked, it's other businesses that may or may not be able to control this that will pay the price. Good work, but irresponsible thought process here.

blogspot = free mister, calling Microsoft you might end up losing like 30 euro before you even come close to the person to speak with. This way you can be sure they will find out and besides that, its way better than keeping it underground and that somebody will code a nifty worm which will cause to massive amounts of viagra spam in your inbox. Once i tried to report a XSS to Microsoft through phone and i just gave up (they are still vulnerable to it today) they are like zombies moaning about if you are a customer. I would nearly say i experienced how it was to be black in the middle of a circle of KKK members (not that any other creditcard company would listen better, if you find a security leak on something like HSBC you can better just forget it, they just won’t listen to you in any way untill you post it on a blog/xssed or any other site to give it some wheels in the media.

Good research... .There is STILL some problems in netbios though , in older qwindows unreported, so this is no surprise... they have never given a sh*t about users security, look , code is out, no patch ? is a 4byte stack b0f that HARD TO PATCH ? Fuck em, i tried treporting to them also, and 3 times, they denied existence! lol... i did also hacve this with BSD security team also... the top os or, they think theyre tops, do NOT LIKE to admit, they did NOT CHECK SRC CODE! Simple as that, this should NEVER have ever gotten into a final or even close!Great research but, unfortunately you are only helping , fellow people who CARE ABOUT ALL SECURITY not just one type... but, netbios is always and still so [piss damn easy to attack, most users, still dont use passes... or avoid using them for own reasons... so, i guess this shit will always exist, and, I bet there is a cmd exec here ;)Cheers,xd

"And while this flaw is embarrassing for Microsoft, it's hard to see why anyone would bother to exploit it: It's only a denial of service, meaning that it locks up other computers, and it only works on the LAN, not over the Internet. So it's not good, but it's probably not a big deal. And it's not a "zero-day.""

Why don't they ever magnify issues in Linux or other products like this? SQL Server has had a little more than 10 security fixes (in 5 years!) while Oracle had over 300 in the same timeframe. Firefox accounts for 44% of browser vulnerabilities, ...

Yeh Microsoft sucks but hey, you should be more professional in your report. When you say "your vendor does not care" shows you are not subjective at all. Nice to be always a pro without any exception. Still MS sucks.

Nice find. Critical or not, Microsoft needs to refine it's exploit reporting channels. Security researchers like him shouldn't have to publicly disclose this sort of stuff to get a patch released. It'd be a simple enough matter for MS to release a workaround patch for this via Windows Update. It'd be easy enough to check the system's settings for active shares, and if none exist, disable SMB until the real patch is released. If shares do exist, it would simply prompt the user after informing them of the risk level.

Damn...I didn't hear Laurent ask for anyone's advice on disclosure, his opinion of MSFT, or anything else. Why doesn't everyone who thinks they're better off not knowing about software vulnerabilities go somewhere else and stick your head in the sand?

3 days, a week, a month? Laurent doesn't work for MSFT, he doesn't owe them or you anything. This is the equivalent of noticing your car explodes if you back it into something, disclosing the fact that it happens is reality, the person who tells you before you explode has done you a favor.

Their way of work is really awful. Our OSes are full of stupid bugs (that remain hidded because of closed source). They don't need to triple check the code just because every security flaw is first signaled then made public.Fuck you! YOU MUST CHECK THE CODE I'M RUNNING. I paid for it and I want it to be almost bug free.. yes.. it is not possible but such stupid bugs make me think they don't check their code at all.

A 0 day exploit like this can be a pain in terms of image. There should be more.. maybe they'll start doing things as they should!

Really...I didn't listen to Laurent ask for a person's guidance on disclosure, his viewpoint of MSFT, or anything else. Why doesn't everyone who believes they're better off not understanding about application weaknesses go somewhere else and keep your go in the sand?